ISO27001 have several controls which are inter-related, and this is another one of those controls.  Annex A control A5.35 Independent review of information security expects a level of objectivity in your reviews, so one can assume that if you have complied with this control, then you’re ok with demonstrating compliance with policies and standard.

Let’s look more carefully at this control and see what is specifically required.

What does the standard require?

The standard states that “Compliance with the organisation's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.” (A5.36 – Compliance with policies and standards for information security).

Essentially, you are being asked to evidence that you implement and operate information security inline with your information security policy, topic-specific policies, rules, and standards.

Why is this required?

Having policies in place and expecting people to follow them, are two very different things.  Throughout the Annex A controls you will develop a range of policies, including Access Control (A5.15), Back-up (A8.13), Clear desk and screen (A7.7) and Acceptable Use (A5.10). But how are you ensuring these policies are being followed?

Without checking compliance with your policies, you could have policies that, at best, people don’t understand, and at worst, are constantly breaching!

Your policies, rules and standard are important as they set out the expectations you place on people, clients and suppliers. Without adequate checks in place, you won't know whether your policies are working or not.

What the auditor is looking for

The auditor will want to see the results of audits that can provide evidence of compliance to your policies, rules, and standards.

For example, when auditing physical security, you might include auditing of the Clear desk and Clear screen policy. If you are auditing against key processes, then you might audit compliance to the policy which relates specifically to the acceptable use of email, instant messaging or Artificial Intelligence (AI).

Specifically, the auditor will look for evidence of;

• Audit Plans

• Audit records and reports

• Management Review Meeting Minutes

• Corrective Action Plans

What do you need to do?

Develop an approach to auditing which includes consideration for the policies you have implemented.  Look at the area you are going to audit and identify what might be relevant to that area. For example, when speaking to IT, ask about the use of cryptography and check what it says in your policy is accurate and actually takes place.

This is an extremely important point; Your policies, rules and standards must reflect truth. Don’t buy generic documents, or use AI tools like ChatGPT, and expect them to be accurate.  They need to reflect you and your business.

No matter what you may think of policies, they are extremely important and you need to ensure you’re complying with them.

Q & A

What does ‘compliance’ mean?

Basically, it means are you and your organisation doing what you said you would do, as outlined in your policy, rule or standard?  This is why it’s important to have these documents which reflect who you are, and what you do.  For example, if you state in your Access Control Policy that all visitors must wear a visible badge, does this happen? Are visitors given a badge? If not, then why? If not, then is this a simple oversight or a sign of a bigger issue that people aren’t following your policies?

How often should we review our policies?

This should be inline with your review and audit schedule and be part of the audit process, which will ensure you look for compliance with your policies, rules and standard.

Difficulty rating

We rate this a 1 out of 5 difficulty rating. Understanding or implementing this control isn't complicated. Ensure this is part of your audit programme, and review process and you won’t have any difficulty with this.

More questions?

Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.

For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.